thank you very much gmatteso,

Ueli Bosshard · ‎10-09-2014

Hello support community,

I will have to install a small jabber guest deployment soon (approx 5 - 10 jabber guest clients used for video only, no IM/Presence). The setup will be the following: CUCM 10.5, Expressway-C and Expressway-E. The jabber guest clients will be used on both intranet and internet side.

As this is a very small deployment I would like to avoid the additional efforts to be done and dependencies with certificates from a certificate authority.

(I heard this used to be possible at least with jabber 9.x, but this might have changed with jabber 10.x)

Does anybody know if this will work with such "selfsigned cert" setup? And if it basically would work, it this would bring along any disadvantages in user experience, such as jabber client displaying any error messages?

Thanks and kind regards Ueli

Gary Matteson · ‎10-10-2014

Hi Euli,

I beleive that there is a requirement to do A CA certificate (not use the temporary one) However, this guide will show you how to use OpenSSL to create a self signed CA. Then you can upload these self signed CAs to upload to the expressway C & E and then use these to generate a CSR to re-run against openSSL. openSSL is installed by default on MACs ( I believe) and it is freeware. You can also get it here

In this guide the order that you want to do things is

Page 19 Configure OpenSSL to act as A CA

Page 21 Creating a Signed certificate using openSSL (Generate a certificate signing request on both the core and edge boxes, and then dowload them and run them through openssl.

IF you follow the instructions carefully, then it will work fine for you. If you change any of your file names, make sure you update the switches on the command line to reflect those changes.

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-2/Cisco-Expressway-Certificate-Creation-and-Use-Deployment-Guide-X8-2.pdf

Ueli Bosshard · ‎10-15-2014

Hi gmatteso,

Thank you very much for your very helpful answer, much appreciated. Likely I will go with implementing this self signed CA solution.

Going through the guide you sent me the link for and through other documents (mobile and remote access via cisco expressway deployment guide x8.1.1 page 25 - 26), I understand that easiest will be to have a SIP TCP SIP trunk (non secure) between cucm and expressway-c and that this should work fine together with Jabber. In case I would need to use a TLS SIP trunk, I understand that I could install the self signed ca certificate (from Expressway-C) to cucm and this should work. Do you also think so?

Thank you and best regards Ueli

Gary Matteson · ‎10-15-2014

Euli,

Yes I think that would work fine. I did notice that you mentioned the 8.1.1 giude for Mobile Remote access set up, I would recommend that you use the 8.2 guide as there were some significant changes in how traversal zones are setup between Expressway C & E.

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-2.pdf

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-2/Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-2.pdf

Ueli Bosshard · ‎10-15-2014

thank you very much gmatteso, yes, I will use the 8.2 guide for the implementation. I will inform you via this channel if all this worked fine in the field. I will implement this in about 2 weeks.

Gary Matteson · ‎10-15-2014

Your welcome, and let me know how it goes. If all works well, don't forget to endorse! :)

Jabber guest with CUCM, Expressway-C and -E setup: certificates from cert-authority mandatory?